US20110131303A1 - Providing network security services for multiple requesters - Google Patents
Providing network security services for multiple requesters Download PDFInfo
- Publication number
- US20110131303A1 US20110131303A1 US12/627,876 US62787609A US2011131303A1 US 20110131303 A1 US20110131303 A1 US 20110131303A1 US 62787609 A US62787609 A US 62787609A US 2011131303 A1 US2011131303 A1 US 2011131303A1
- Authority
- US
- United States
- Prior art keywords
- data
- shut down
- database
- initialization
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Definitions
- Embodiments of the present invention relate to establishing secure connections in a network. Specifically, the embodiments of the present invention relate to a method and system for providing network security services to multiple requesters.
- the security module 160 can cause the PKCS-based module 123 to close the open databases.
- database-A, database-B, and database-C can remain open until the other requesters (e.g., applications 150 and libraries 175 ) each generate and send a shut down request 189 indicating that a requester is done accessing the opened databases.
Abstract
A security initialization system receives a first initialization request from a first requester to access a first database storing security data and stores context data for the first initialization request that identifies an initialization operation associated with the first database. The security initialization system receives a second initialization request from a second requester to access a second database storing security data and updates the context data to identify an initialization operation associated with the second database. The security initialization system receives a shut down request from one of the requesters, where the shut down request includes data for identifying a corresponding initialization operation in the context data. The security initialization system updates the context data to show that the corresponding initialization operation has a shut down request and determines whether a security module is to be shut down using the context data.
Description
- The present application is related to co-filed U.S. patent application Ser. No. ______ entitled “Using a PKCS Module for Opening Multiple Databases” (attorney docket number 5220.P647), which is assigned to the assignee of the present application.
- Embodiments of the present invention relate to establishing secure connections in a network. Specifically, the embodiments of the present invention relate to a method and system for providing network security services to multiple requesters.
- A server and a client can be protected such as with a secure socket layer (SSL) connection between the server and client. SSL is a protocol that provides security for communications over networks such as the Internet. A server may obtain a certificate for allowing an encryption key to be generated for establishing the SSL connection with a client. A certificate can contain the name of the server or other entity that is being identified, the server's public key, the name of the issuing CA, and other information proving that the certificate is authenticated. When a certificate is issued, the certificate and certificate information are typically stored in one or more databases. Other information may include a public key, a private key for decrypting encrypted content, and/or whether or not a certificate is trusted for a particular purpose (trust information). For example, a user may wish to view an encrypted email message received by the user and a client email application can search for the private key to decrypt the email.
- The key may be associated with a particular cryptographic standard, such as public key cryptography standard (PKCS), for example, the PKCS #11 industry standard. An application, such as a web browser or an email application, can construct a request for the key through a security module, such as a network security services (NSS) module. Typically, applications identify the database to be opened in the request and initialize NSS to open the particular database to provide SSL services.
- The application can also call different system library services, such as for HTTP operations, LDAP operations, etc. The system libraries may also initialize NSS for NSS to provide SSL services. When NSS is initialized, NSS causes a module to open a database, such as a database storing a key. However, when NSS is running as a result of a first initialization by a library or an application, NSS is unable to open another database for any subsequent initialization requests. An application and library, therefore, are unable to access another database until NSS is shut down and re-initialized.
- The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings in which like references indicate similar elements. It should be noted that different references to “an” or “one” embodiment in this disclosure are not necessarily to the same embodiment, and such references mean at least one.
-
FIG. 1 illustrates an exemplary network architecture in which embodiments of the present invention may operate. -
FIGS. 2A and 2B are a flow diagram which illustrates an embodiment of a method for providing network security services to multiple requesters. -
FIG. 3 is a diagram of one embodiment of the security initialization system. - Embodiments of the invention are directed to a method and system for providing network security services to multiple requesters. A security initialization system receives a first initialization request from a first requester to access a first database storing security data and stores context data for the first initialization request that identifies an initialization operation associated with the first database. The security initialization system receives a second initialization request from a second requester to access a second database storing security data and updates the context data to identify an initialization operation associated with the second database. The security initialization system receives a shut down request from one of the requesters, where the shut down request includes data for identifying a corresponding initialization operation in the context data. The security initialization system updates the context data to show that the corresponding initialization operation has a shut down request and determines whether a security module is to be shut down using the context data.
- Embodiments of the present invention can receive a request for network security services (NSS) from multiple requesters and can provide network security services in response to each request. For example, an HTTP library can request access to security data in a first database and the initialization system can initialize NSS to cause the first database to open. Subsequently, an email application can request access to security data in a second database and the initialization system can cause the second database to open. Embodiments of the present invention can store and maintain context data that identifies an initialization operation associated with each open database. The initialization system can use the context data to determine whether to shut down a network security services (NSS) module. For example, the initialization system can search the context data to determine whether a shut request was received for the initialization operation associated with the first database and whether a shut down request was received for the initialization operation associated with the second database. The initialization system can shut down the NSS module when shut down requests were received for all of the initialization operations.
-
FIG. 1 illustrates anexemplary network architecture 100 on which embodiments of the present invention can be implemented. Thenetwork architecture 100 can include one or more servers, such asmail servers 107 to process mail requests for auser 101, and one ormore web servers 109 to provide web content to auser 101. Thenetwork architecture 100 can also include one or more Certificate Authority (CA)servers 111 that issue digital certificates for use by other parties, such as auser 101 or a server 107-109. - A
client device 103 for auser 101 is coupled to anetwork 105. Auser 101 can use theclient device 103 to access data, such as web content or email content, hosted by a server, such as aweb server 109 or amail server 107. Theuser 101 can access the data using a general purpose browser or aspecialized application 150. Anapplication 150 can be a web browser, a cryptography application, an email client, or the like. Theapplication 150 may need access to security data to enable a user to view the email message or web content. For example, anapplication 150 may be an email application which requires a key to decrypt an email message. Anapplication 150 can also call differentsystem library services 175, such as for HTTP operations, LDAP operations, etc. Thesystem libraries 175 may also need access to security data for SSL services. - Security data can be stored in a data storage system. A data storage system can include data stores, file systems, tokens (e.g., a smartcard), etc. A database is an example of a data store. Examples of security data include a root-certificate stored in a root-
certificate database 127, a user certificate stored in acertificate database 129, a key stored in akey database 131, PKCS #11 objects stored in a PKCSdatabase 133, PKCS #11 objects stored in asmartcard 137, a Privacy Enhanced Mail (PEM) file stored in aPEM database 135, asystem list 151 or user list of PKCS #11 modules, etc. The databases may be part of theclient computer 103 or may reside on a separate computer and accessed vianetwork 105. - When a need for security data arises in an
application 150 and/or alibrary 175, access to the security data can be provided through asecurity initialization system 170. Aclient device 103 can include asecurity initialization system 170 for opening databases that store the security data based on user-configurable policy information 153. Thepolicy information 153 can be stored in apolicy data store 121. - The
initialization system 170 can include asecurity module 160 and a PKCS-based module 123 (e.g., PKCS #11-based modules). In cryptography, public key cryptography standard (PKCS) refers to a group of public key cryptography standards. Security data may be stored on a hardware cryptographic token (e.g., a smart card, USB flash drive, etc.). PKCS #11 is the Cryptographic Token Interface standard that specifies an API defining a generic interface to a cryptographic token. Thesecurity module 160 can cause the PKCS-basedmodule 123 to open and close databases. - The
network architecture 100 can also include acontext data store 183 storingcontext data 185, asystem data store 117 storing asystem list 151, and amodule library 119 that includes a module database (dB)interface 159. This division of functionality is presented by way of example for sake of clarity. One skilled in the art would understand that the functionality described could be combined into a monolithic component or sub-divided into any combination of components. - An
application 150 and/or alibrary 175 can request access to security data (e.g., a key) using asecurity module 160, such as a network security services (NSS) module, made accessible through an operating system, such as by providing an application programming interace (API) or the like. Anapplication 150 and/or alibrary 175 can generate aninitialization request 161. Therequest 161 is received by thesecurity module 160. It will be appreciated that the security module includes a set of libraries for supporting security-enabled client and server application. - The
security module 160 can include a multi-initializer 180 for receiving multiple requests to initialize thesecurity module 160 and to cause a database storing security data to open for each request. The multi-initializer 180 can also manage the shut down of thesecurity module 160. The multi-initializer 180 can receive aninitialization request 161 from a first requester, such as anapplication 150 or alibrary 175, to access a first database storing security data (e.g., one of databases 127-135). For example, alibrary 175 may first request access to security data that is stored in thecertificate database 129. The multi-initializer 180 can receive the library's 175 request and can initialize thesecurity module 160 to cause thecertificate database 129 to be opened. The multi-initializer 180 can receive asecond initialization request 161 from a second requester, such as anapplication 150 or alibrary 175, to access a second database storing security data (e.g., one of databases 127-135). For example, anapplication 150 can request access to security data that is stored in another database, such as akey database 131. The multi-initializer 180 can receive the application's 150 request, can detect that thesecurity module 160 is already initialized from the previous request made by thelibrary 175, and can cause a PKCS-basedmodule 123 to open thekey database 129 without shutting down thesecurity module 160. The multi-initializer 180 can also receive multiple requests to initialize thesecurity module 160 to open the same database and optimize the multiple requests by opening the database with a single initialization operation. - The multi-initializer 180 can also store and maintain
context data 185 for each initialization request, for example, in apersistent storage unit 183. Thecontext data 185 can include data that identifies an initialization operation that is associated with a database to be opened. An initialization operation can be identified by a unique identifier. For example, an HTTP library can generate an initialization request to access data stored in database-A and cause an initialization operation to open database-A. In addition, an LDAP library can also generate an initialization request to access data stored in a different database, database-B, and a web browsing application can generate an initialization request to access data stored in database-C. Thecontext data 185 can include data identifying that database-A, database-B, and database-C are open, and data pertaining to the three initialization operations, each initialization operation having a unique identifier and being associated with an open database. - The
context data 185 can include a reference count for a database to track multiple opens of the database. For example, anapplication 150 may request request access to security data that is stored in a database, such as a key database. The multi-initializer 180 can receive the application's request and can initialize thesecurity module 160 to cause thekey database 131 to be opened. A library may also request access to the samekey database 131. The multi-initializer 180 can receive the library's request, can detect that thesecurity module 160 is already initialized from the previous request made by the application, and can use a reference count to record the second request to open thekey database 131. - The multi-initializer 180 can use the
context data 185 to manage the shut down of thesecurity module 160. A requester, such as anapplication 150 or alibrary 175, that is done accessing the open databases can generate a shut downrequest 189. Theshutdown request 189 may include data that identifies the requester, a database, and/or an initialization operation. The multi-initializer 180 can use data in the shutdown request to identify an initialization operation in the context data that corresponds to the shutdown request. For example, the LDAP library may be done accessing security data in the open databases and can generate a shut downrequest 189 that includes the identifier for its initialization operation. Theshutdown request 189 may include data that identifies the requester (e.g., anapplication 150 or a library 175) and/or a database. The multi-initializer 180 can determine an initialization operation that corresponds to the shut downrequest 189 using the database and/or requester information. - The multi-initializer 180 can receive the shut down
request 189 and update thecontext data 185 to reflect the shut down request. For example, thecontext data 185 can be updated to show that an initialization operation identified in the shut down request from the LDAP library is shut down. The multi-initializer 180 can search the context data for a matching identifier and can delete the initialization operation data in the context data or can change the initialization operation data to show that it is shut down. - The multi-initializer 180 can determine from the
context data 189 whether there are other requesters, such asapplications 150 orlibraries 175, that are still accessing the open databases. For example, the multi-initializer 180 can determine whether the HTTP library and web browsing application are still accessing database-A, database-B, and database-C. The multi-initializer 180 can examine the context data to determine whether all of the initialization operations in the context data have been shut down. In one embodiment, the open databases can remain open until the multi-initializer 180 detects that all initialization operations have corresponding shut down requests. When the multi-initializer 180 detects that all initialization operations have corresponding shut down requests, the multi-initializer 180 can shut down thesecurity module 160 and cause the open databases to close. Thesecurity module 160 can cause the PKCS-basedmodule 123 to close the open databases. For example, database-A, database-B, and database-C can remain open until the other requesters (e.g.,applications 150 and libraries 175) each generate and send a shut downrequest 189 indicating that a requester is done accessing the opened databases. - In another embodiment, a shut down
request 161 can identify an initialization operation used to open a database and the multi-initializer 180 can cause the open database associated with the initialization operation to close. For example, the LDAP library may be done accessing security data in the database-B and can generate a shut downrequest 189 that includes the identifier for its initialization operation (or a database and requester identifier) which is associated with database-B. The multi-initializer 180 can determine whether all initialization operations for the particular database (e.g., database-B) have corresponding shut down requests. The multi-initializer 180 can use the reference count in thecontext data 185 for determining whether all initialization operations for the particular database (e.g., database-B) have corresponding shut down requests. When the multi-initializer 180 detects that all initialization operations for the particular database have corresponding shut down requests, the multi-initializer 180 can cause the open database (e.g., database-B) to close. The multi-initializer 180 can cause the PKCS-basedmodule 123 to close database-B without shutting down any other open databases. - To open a database that stores the security data in response to detecting an
initializaton request 161, thesecurity module 160 can access asystem data store 117 to determine which database to open. Thesystem data store 117 can store data (e.g., a system list 151) that identifies amodule library 119. Themodule library 119 can store amodule dB interface 159. Themodule dB interface 159 can obtain user-configurable policy information 153, for example, stored in apolicy data store 121. Thepolicy data store 121 can be a lightweight data access protocol (LDAP) based database. The LDAP-based database can be locally stored on may be part of a server (not shown) accessed vianetwork 105. Thepolicy information 153 can identify a database to be opened for aparticular request 161 based on server type (e.g., web server, mail server), application type (e.g., email application, web browser), application name (e.g., Internet Explorer®, Firefox®), and user (e.g., root-user, administrative user). Thepolicy information 153 can be configured by a user, such as a system administrator. - In another embodiment, the
security module 160 can determine which database to open for aparticular request 161 from module data that can be included in themodule dB interface 159. Module data can include operating system specific lists (e.g., list 155) that identify databases to be opened for aparticular initializaton request 161. For example,list 155 can be a list for the Linux operating system that identifies thecertificate database 129 and the root-certificate database 127 as the databases to open for aparticular initialization request 161. - The
security module 160 can cause a PKCS-basedmodule 123 to be initialized for opening a database identified by the user-configurable policy information 153 or the module data (e.g., list 155). Themodule dB interface 159 can generate load data based on the the user-configurable policy information 153 or the module data and can send theload data 165 to the PKCS-basedmodule 123. Theload data 165 can include the name of the database to be opened, the location of the database, and the access type for the database (e.g., read, write, read/write). - PKCS #11 provides an interface to one or more cryptographic devices that are active in a system (e.g., client 103) through a number of “slots” (not shown). Typically, each slot corresponds to a physical reader or other device interface for a token. A system may have some number of slots, and an
application 150 can connect to tokens in any or all of those slots. PKCS #11 provides the interface to access a token through a slot. - A database storing security data or a file on disk storing security data may be perceived as a software token. The
module dB interface 159 can sendload data 165, which identifies which database to open, to the PKCS-basedmodule 123. Themodule dB interface 159 can cause the PKCS-basedmodule 123 to initialize for opening the database identified in theload data 165. When the PKCS-basedmodule 123 is initialized, the PKCS-based module opens a slot for opening the database, which enables anapplication 150 to access the database using the opened slot. - For each database to be opened, the
module dB interface 159 can send a request that includes theload data 165 to the PKCS-basedmodule 123. For example, themodule dB interface 159 can send aRequest 1 to initialize the PKCS-basedmodule 123 to cause a database, such as acertificate database 129, to open, for example, with read/write access. Theload data 165 may be in a format according to the PKCS#11 industry standard. The PKCS-basedmodule 123 can receive theload data 165 and can translate theload data 165 into aproprietary database operation 167 to cause the database (e.g., certificate database 129) to open. Examples of the PKCS-basedmodule 123 can include a PEM module for opening PEM databases (e.g., PEM database 135) or can be a soft-token module for opening user databases and system databases. Privacy Enhanced Mail (PEM) is a protocol for securing email using public key cryptography. -
Policy information 153 or module data may identify more than one database to be opened and the PKCS-basedmodule 123 may receive more than one request to open a database (e.g.,Request 1 to Request n). The PKCS #11 standard, however, allows a module to be initialized once, and while the module is running, other calls to use the module will produce an error. For example, after the PKCS-basedmodule 123 is initialized in response toRequest 1, which opened thecertificate database 129 with read/write access, the PKCS-basedmodule 123 may receiveRequest 2 to open a different database, such as akey database 131 with read/write access, while the PKCS-basedmodule 123 is still running. - The PKCS-based
module 123 can generate an error (e.g., error code) indicating that the PKCS-basedmodule 123 is already initialized (opened). Since the PKCS-basedmodule 123 is already initialized, the PKCS-based module cannot open a slot to enable anapplication 105 to access a database (e.g., key database 131) forRequest 2. Thesecurity module 160 can detect the error (e.g., error code) to determine that the PKCS-basedmodule 123 is already initialized. In response to determining that the PKCS-basedmodule 123 is already initialized, thesecurity module 160 can cause the PKCS-basedmodule 123 to create a slot to open the database (e.g., key database 131) which would enable anapplication 150 to access the opened database. For an additional request, such as Request n, the PKCS-basedmodule 123 can create an additional slot to open a database for Request n. The PKCS-basedmodule 123 can create one slot for each database to be opened. - A
CA server 111,mail server 107, andweb server 109 can be any type of computing device including server computers, desktop computers, laptop computers, hand-held computers, or similar computing device. Aclient device 103 can be a smart hand-held device or any type of computing device including desktop computers, laptop computers, mobile communications devices, cell phones, smart phones, hand-held computers or similar computing device capable of transmitting certificate requests and receiving certificates. Thenetwork 105 can be a wide area network (WAN), such as the Internet, a local area network (LAN), such as an intranet within a company, a wireless network, a mobile communications network, or a similar communication system. Thenetwork 105 can include any number of networking and computing devices such as wired and wireless devices. - Security data can be stored in databases (e.g., root-
certificate database 127,certificate database 129,key database 131,PKCS database 133, PEM database 135) in one or more persistent storage units. These databases may be separate or combined databases. System lists 151 can be stored in asystem data store 117 in a persistent storage unit. User-configurable policy information 153 can be stored in apolicy data store 121 in a persistent storage unit. A data store can be a table, a database, a file, etc. Amodule dB interface 159 can be stored in amodule library 119 in a persistent storage unit. A persistent storage unit can be a local storage unit or a remote storage unit. Persistent storage units can be a magnetic storage unit, optical storage unit, solid state storage unit or similar storage unit. Persistent storage units can be a monolithic device or a distributed set of devices. A ‘set,’ as used herein, refers to any positive whole number of items. - The
security module 160, the multi-initializer 180, the PKCS-basedmodule 123, and themodule dB interface 159 can be implemented as hardware, computer-implemented software, firmware or a combination thereof. In one embodiment, thesecurity module 160, the multi-initializer 180, the PKCS-basedmodule 123, and themodule dB interface 159 comprise instructions stored inmemory 304 that cause aprocessing device 302 inFIG. 3 described in greater detail below to perform the functions of thesecurity module 160, the multi-initializer 180, the PKCS-basedmodule 123, and themodule dB interface 159. -
FIGS. 2A and 2B are a flow diagram which illustrates an embodiment of amethod 200 for providing network security services to multiple requesters.Method 200 can be performed by processing logic that can comprise hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions run on a processing device), or a combination thereof. In one embodiment,method 200 is performed by thesecurity initialization system 170 including a multi-initializer 180 in aclient machine 103 ofFIG. 1 . - In one embodiment, the
method 200 can be invoked upon the security initialization system receiving a first initialization request from a first requester, such as an application or a library, to access security data in a first database atblock 201. Examples of security data can include a key, a certificate, a PEM file, etc. For example, an application may be an email application requesting a key for decrypting an email. Atblock 203, the initialization system can cause a PKCS-based module to open the first database. - At
block 205, the initialization system can generate and store context data for the first initialization request. The context data can include data that identifies an initialization operation that is associated with an open database. An initialization operation can be identified by a unique identifier. The initialization system can store context data in a persistent storage unit. - At
block 207, the initialization system can receive a second initalization request from a second requester to access data in a second database. The initialization system may receive a second initialization request from a second requester to access data in the same first database. Atblock 209, the initialization system can cause a PKCS-based module to open the second database. Atblock 211, the initialization system can update the context data to identify an initialization operation that is associated with the second database. If the initialization request is a request to open the same first database, the initialization system can add a reference count in the context data associated with the first database. - At
block 213, the security initialization system can receive a shut down request from one of the requesters (e.g., an application or a library). A shut down request can indicate that a requester is done accessing security data in the open databases. A shutdown request may include data that identifies the requester, a database, and/or an initialization operation. The shutdown request can include data for identifying a corresponding initialization operation in the context data. For example, an HTTP library may generate an initialization request for access to data which is stored in database-A and subsequently generate a shut down request that includes an indentifier associated the initialization operation to open database-A. A shutdown request may include data that identifies the requester (e.g., anapplication 150 or a library 175) and/or a database. The security initialization system can determine an initialization operation that corresponds to the shut down request using the database and/or requester information. - At
block 215, the initialization system can search the context data to identify a corresponding initialization operation in the context data. The initialization system can search the context data for an initialization identifier that matches an initialization identifier included in the shut down request. Atblock 217, the initialization system can update the context data to reflect the shut down request. The initialization system can delete the initialization operation data in the context data or can change the initialization operation data to show that it is shut down. - At
block 219, the initialization system can determine from the context data whether there are other requesters (e.g., applications or libraries) that are still accessing the open databases. In one embodiment, the open databases can remain open until the initialization system detects that all initialization operations in the context data have been shut down. For example, database-A, database-B, and database-C can remain open until the other requesters (e.g., applications and libraries) each generate and send a shut down request for a corresponding intialization operation. - If the initialization system detects that not all of the initialization operations have been shut down (block 219), the method ends. If the initialization system detects that all initialization operations have been shut down (block 219), the initialization system can shut down the security module at
block 221. The initialization system can cause the open databases to close when the security module is shut down. The initialization system can can cause a PKCS-based module to close the open databases. - In another embodiment, the initialization system can close an open database that corresponds to a shut down request. A shutdown request may include data that identifies the requester, a database, and/or an initialization operation. The initialiation system can identify an initialization operation used to open a database from the data in the shut down request and can cause the open database associated with the initialization operation to close. For example, the LDAP library may be done accessing security data in the database-B and can generate a shut down request. The initialization system can identify based on data in the shut down request that database-B is to be closed. The initialization system can determine whether all initialization operations for the particular database (e.g., database-B) have corresponding shut down requests. The initialization system can use a reference count in the context data for determining whether all initialization operations for the particular database have corresponding shut down requests. When the initialization system can detects that all initialization operations for the particular database have corresponding shut down requests, the initialization system can cause the open database (e.g., database-B) to close. The initialization system can cause a PKCS-based module to close database-B without shutting down any other open databases.
-
FIG. 3 is a diagram of one embodiment of a computer system for for multi-initialization of networks security services. Within thecomputer system 300 is a set of instructions for causing the machine to perform any one or more of the methodologies discussed herein. In alternative embodiments, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, or the Internet. The machine can operate in the capacity of a server or a client machine (e.g., a client computer executing the browser and the server computer executing the automated task delegation and project management) in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The machine may be a personal computer (PC), a tablet PC, a console device or set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines (e.g., computers) that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein. - The
exemplary computer system 300 includes aprocessing device 302, a main memory 304 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or DRAM (RDRAM), etc.), a static memory 306 (e.g., flash memory, static random access memory (SRAM), etc.), and a secondary memory 316 (e.g., a data storage device in the form of a drive unit, which may include fixed or removable computer-readable storage medium), which communicate with each other via abus 308. -
Processing device 302 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, theprocessing device 302 may be a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, processor implementing other instruction sets, or processors implementing a combination of instruction sets.Processing device 302 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like.Processing device 302 is configured to execute thesecurity initialization system 326 for performing the operations and steps discussed herein. - The
computer system 300 may further include anetwork interface device 322. Thecomputer system 300 also may include a video display unit 310 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)) connected to the computer system through a graphics port and graphics chipset, an alphanumeric input device 312 (e.g., a keyboard), a cursor control device 314 (e.g., a mouse), and a signal generation device 320 (e.g., a speaker). - The
secondary memory 316 may include a machine-readable storage medium (or more specifically a computer-readable storage medium) 324 on which is stored one or more sets of instructions (e.g., the security initialization system 326) embodying any one or more of the methodologies or functions described herein. Thesecurity initialization system 326 may also reside, completely or at least partially, within themain memory 304 and/or within theprocessing device 302 during execution thereof by thecomputer system 300, themain memory 304 and theprocessing device 302 also constituting machine-readable storage media. The asecurity initialization system 326 may further be transmitted or received over anetwork 318 via thenetwork interface device 322. - The computer-
readable storage medium 324 may also be used to store thesecurity initialization system 326 persistently. While the computer-readable storage medium 324 is shown in an exemplary embodiment to be a single medium, the term “computer-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The terms “computer-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present invention. The term “computer-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media. - The
security initialization system 326, components and other features described herein (for example in relation toFIG. 1 ) can be implemented as discrete hardware components or integrated in the functionality of hardware components such as ASICS, FPGAs, DSPs or similar devices. In addition, thesecurity initialization system 326 can be implemented as firmware or functional circuitry within hardware devices. Further, thesecurity initialization system 326 can be implemented in any combination hardware devices and software components. - In the above description, numerous details are set forth. It will be apparent, however, to one skilled in the art, that the present invention may be practiced without these specific details. In some instances, well-known structures and devices are shown in block diagram form, rather than in detail, in order to avoid obscuring the present invention.
- Some portions of the detailed description which follows are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
- It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following discussion, it is appreciated that throughout the description, discussions utilizing terms such as “receiving,” “storing,” “updating,” “determining,” “shutting down,” “searching,” “removing,” or the like, refer to the actions and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (e.g., electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
- Embodiments of the invention also relate to an apparatus for performing the operations herein. This apparatus can be specially constructed for the required purposes, or it can comprise a general purpose computer system specifically programmed by a computer program stored in the computer system. Such a computer program can be stored in a computer-readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions.
- The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general purpose systems can be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the method steps. The structure for a variety of these systems will appear from the description below. In addition, embodiments of the present invention are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages can be used to implement the teachings of embodiments of the invention as described herein.
- A computer-readable storage medium can include any mechanism for storing information in a form readable by a machine (e.g., a computer), but is not limited to, floppy diskettes, optical disks, Compact Disc, Read-Only Memory (CD-ROMs), and magneto-optical disks, Read-Only Memory (ROMs), Random Access Memory (RAM), Erasable Programmable Read-Only memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic or optical cards, flash memory, or the like.
- Thus, a method and apparatus for multi-initialization of network security services. It is to be understood that the above description is intended to be illustrative and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reading and understanding the above description. The scope of the invention should, therefore, be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
Claims (20)
1. A method, implemented by a client computing system programmed to perform the following, comprising:
receiving, by the client computing system, a first initialization request from a first requester to access a first database storing security data;
storing context data for the first initialization request that identifies an initialization operation associated with the first database;
receiving a second initialization request from a second requester to access a second database storing security data;
updating the context data to identify an initialization operation associated with the second database;
receiving a shut down request from one of the requesters, wherein the shut down request includes data for identifying a corresponding initialization operation in the context data;
updating the context data to show that the corresponding initialization operation has a shut down request; and
determining whether a security module is to be shut down using the context data.
2. The method of claim 1 , wherein the security module is a module to provide network security services.
3. The method of claim 1 , wherein a requester is at least one of an application and a library.
4. The method of claim 3 , wherein the application is at least one of: a web browsing application, a cryptography application, and an email application.
5. The method of claim 3 , wherein the library is a library to perform at least one of: HTTP operations and lightweight data access protocol (LDAP) operations.
6. The method of claim 1 , wherein updating the context data to show that the corresponding initialization operation has a shut down request comprises:
searching the context data for an initialization operation that corresponds to the shut down request; and
changing data for the corresponding initialization operation from the context data.
7. The method of claim 6 , wherein searching context data for an initialization operation that corresponds to the shut down request comprises:
searching the context data for an initialization operation identifier that matches an initialization operation identifier in the shut down request.
8. The method of claim 1 , wherein the shut down request includes at least one of: data identifying a requester, data identifying a database, and an initialization operation identifier.
9. The method of claim 1 , wherein determining whether a security module is to be shut down comprises:
determining that all of the initialization operations in the context data have a corresponding shut down request.
10. A system comprising:
a persistent storage unit coupled to the client to store context data for a first initialization request that identifies an initialization operation associated with a first database, to store context data for a second initialization request to identify an initialization operation associated with a second database, and to store context data to show that an initialization operation that corresponds to a shut down request has a shut down request;
a client to receive the first initialization request from a first requester to access the first database storing security data, to receive the second initialization request from a second requester to access the second database storing security data, to receive the shut down request from one of the requesters, wherein the shut down request includes data for identifying a corresponding initialization operation in the context data, and to determine whether a security module is to be shut down using the context data.
11. The system of claim 10 , wherein the security module is a module to provide network security services.
12. The system of claim 10 , wherein a requester is at least one of an application and a library.
13. The system of claim 10 , wherein the client is to update the context data to show that the corresponding initialization operation has a shut down request comprises:
searching the context data for an initialization operation that corresponds to the shut down request; and
changing data for the corresponding initialization operation from the context data.
14. A computer-readable storage medium including instructions that, when executed by a computer system, cause the computer system to perform a set of operations comprising:
receiving a first initialization request from a first requester to access a first database storing security data;
storing context data for the first initialization request that identifies an initialization operation associated with the first database;
receiving a second initialization request from a second requester to access a second database storing security data;
updating the context data to identify an initialization operation associated with the second database;
receiving a shut down request from one of the requesters, wherein the shut down request includes data for identifying a corresponding initialization operation in the context data;
updating the context data to show that the corresponding initialization operation has a shut down request; and
determining whether a security module is to be shut down using the context data.
15. The computer-readable storage medium of claim 14 , wherein the security module is a module to provide network security services.
16. The computer-readable storage medium of claim 14 , wherein a requester is at least one of an application and a library.
17. The computer-readable storage medium of claim 16 , wherein the application is at least one of: a web browsing application, a cryptography application, and an email application.
18. The computer-readable storage medium of claim 16 , wherein the library is a library to perform at least one of: HTTP operations and lightweight data access protocol (LDAP) operations.
19. The computer-readable storage medium of claim 14 , wherein updating the context data to show that the corresponding initialization operation has a shut down request comprises:
searching the context data for an initialization operation that corresponds to the shut down request; and
changing data for the corresponding initialization operation from the context data.
20. The computer-readable storage medium of claim 14 , wherein the shut down request includes at least one of: data identifying a requester, data identifying a database, and an initialization operation identifier.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/627,876 US8266262B2 (en) | 2009-11-30 | 2009-11-30 | Providing network security services for multiple requesters |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/627,876 US8266262B2 (en) | 2009-11-30 | 2009-11-30 | Providing network security services for multiple requesters |
Publications (2)
Publication Number | Publication Date |
---|---|
US20110131303A1 true US20110131303A1 (en) | 2011-06-02 |
US8266262B2 US8266262B2 (en) | 2012-09-11 |
Family
ID=44069675
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/627,876 Active 2030-09-16 US8266262B2 (en) | 2009-11-30 | 2009-11-30 | Providing network security services for multiple requesters |
Country Status (1)
Country | Link |
---|---|
US (1) | US8266262B2 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110131407A1 (en) * | 2009-11-30 | 2011-06-02 | Robert Relyea | Using a pkcs module for opening multiple databases |
CN117093638A (en) * | 2023-10-17 | 2023-11-21 | 博智安全科技股份有限公司 | Micro-service data initialization method, system, electronic equipment and storage medium |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030076870A1 (en) * | 2001-10-19 | 2003-04-24 | Samsung Electronics Co., Ltd. | Transceiver apparatus and method for efficient high-speed data retransmission and decoding in a CDMA mobile communication system |
US20040039827A1 (en) * | 2001-11-02 | 2004-02-26 | Neoteris, Inc. | Method and system for providing secure access to private networks with client redirection |
US20070002838A1 (en) * | 2005-06-30 | 2007-01-04 | Fujitsu Limited | Recording medium recording a network shutdown control program, and network shutdown device |
US7240143B1 (en) * | 2003-06-06 | 2007-07-03 | Broadbus Technologies, Inc. | Data access and address translation for retrieval of data amongst multiple interconnected access nodes |
US20070283422A1 (en) * | 2004-10-12 | 2007-12-06 | Fujitsu Limited | Method, apparatus, and computer product for managing operation |
US20090037121A1 (en) * | 2007-08-02 | 2009-02-05 | General Electric Company | System and method for detection of rotor eccentricity baseline shift |
US20090300027A1 (en) * | 2008-05-26 | 2009-12-03 | Seiko Epson Corporation | Database access server and database access system |
US20100076988A1 (en) * | 2008-09-10 | 2010-03-25 | Expanse Networks, Inc. | Masked Data Service Profiling |
US20100082541A1 (en) * | 2005-12-19 | 2010-04-01 | Commvault Systems, Inc. | Systems and methods for performing replication copy storage operations |
US20100161751A1 (en) * | 2008-12-22 | 2010-06-24 | International Business Machines Corporation | Method and system for accessing data |
US20100235413A1 (en) * | 2001-08-03 | 2010-09-16 | Isilon Systems, Inc. | Systems and methods for providing a distributed file system utilizing metadata to track information about data stored throughout the system |
US20110125642A1 (en) * | 2009-11-20 | 2011-05-26 | Mohammed Kamal | Methods and systems for indirectly retrieving account data from data storage devices |
-
2009
- 2009-11-30 US US12/627,876 patent/US8266262B2/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100235413A1 (en) * | 2001-08-03 | 2010-09-16 | Isilon Systems, Inc. | Systems and methods for providing a distributed file system utilizing metadata to track information about data stored throughout the system |
US20030076870A1 (en) * | 2001-10-19 | 2003-04-24 | Samsung Electronics Co., Ltd. | Transceiver apparatus and method for efficient high-speed data retransmission and decoding in a CDMA mobile communication system |
US20040039827A1 (en) * | 2001-11-02 | 2004-02-26 | Neoteris, Inc. | Method and system for providing secure access to private networks with client redirection |
US7240143B1 (en) * | 2003-06-06 | 2007-07-03 | Broadbus Technologies, Inc. | Data access and address translation for retrieval of data amongst multiple interconnected access nodes |
US20070283422A1 (en) * | 2004-10-12 | 2007-12-06 | Fujitsu Limited | Method, apparatus, and computer product for managing operation |
US20070002838A1 (en) * | 2005-06-30 | 2007-01-04 | Fujitsu Limited | Recording medium recording a network shutdown control program, and network shutdown device |
US20100082541A1 (en) * | 2005-12-19 | 2010-04-01 | Commvault Systems, Inc. | Systems and methods for performing replication copy storage operations |
US20090037121A1 (en) * | 2007-08-02 | 2009-02-05 | General Electric Company | System and method for detection of rotor eccentricity baseline shift |
US20090300027A1 (en) * | 2008-05-26 | 2009-12-03 | Seiko Epson Corporation | Database access server and database access system |
US20100076988A1 (en) * | 2008-09-10 | 2010-03-25 | Expanse Networks, Inc. | Masked Data Service Profiling |
US20100161751A1 (en) * | 2008-12-22 | 2010-06-24 | International Business Machines Corporation | Method and system for accessing data |
US20110125642A1 (en) * | 2009-11-20 | 2011-05-26 | Mohammed Kamal | Methods and systems for indirectly retrieving account data from data storage devices |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110131407A1 (en) * | 2009-11-30 | 2011-06-02 | Robert Relyea | Using a pkcs module for opening multiple databases |
US8909916B2 (en) * | 2009-11-30 | 2014-12-09 | Red Hat, Inc. | Using a PKCS module for opening multiple databases |
US20150095639A1 (en) * | 2009-11-30 | 2015-04-02 | Red Hat, Inc. | Using a pkcs module for opening multiple databases |
US9306937B2 (en) * | 2009-11-30 | 2016-04-05 | Red Hat, Inc. | Using a PKCS module for opening multiple databases |
US20160211975A1 (en) * | 2009-11-30 | 2016-07-21 | Red Hat, Inc. | Using a pkcs module for opening multiple databases |
US9882718B2 (en) * | 2009-11-30 | 2018-01-30 | Red Hat, Inc. | Using a module for opening multiple databases |
CN117093638A (en) * | 2023-10-17 | 2023-11-21 | 博智安全科技股份有限公司 | Micro-service data initialization method, system, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
US8266262B2 (en) | 2012-09-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11520912B2 (en) | Methods, media, apparatuses and computing devices of user data authorization based on blockchain | |
US11030217B2 (en) | Blockchain implementing cross-chain transactions | |
US9882718B2 (en) | Using a module for opening multiple databases | |
EP3520319B1 (en) | Distributed electronic record and transaction history | |
US20190182052A1 (en) | Techniques to secure computation data in a computing environment | |
US20220318907A1 (en) | Systems and methods for generating secure, encrypted communications across distributed computer networks for authorizing use of cryptography-based digital repositories in order to perform blockchain operations in decentralized applications | |
US9867043B2 (en) | Secure device service enrollment | |
WO2018152519A1 (en) | Performance of distributed system functions using a trusted execution environment | |
US10911538B2 (en) | Management of and persistent storage for nodes in a secure cluster | |
US10142378B2 (en) | Virtual identity of a user based on disparate identity services | |
US10992656B2 (en) | Distributed profile and key management | |
US11057368B2 (en) | Issuing a certificate based on an identification of an application | |
US11349822B2 (en) | Runtime encryption plugin for a key management system | |
US11159309B2 (en) | Obtaining quorum approval to perform an operation with a cryptographic item of a key management system | |
US20110213963A1 (en) | Using an ocsp responder as a crl distribution point | |
US11394546B2 (en) | Encrypted data key management | |
US9419805B2 (en) | Generating a CRL using a sub-system having resources separate from a main certificate authority sub-system | |
US11443023B2 (en) | Distributed profile and key management | |
US8266262B2 (en) | Providing network security services for multiple requesters | |
US11095684B2 (en) | Providing attributes of a network service | |
US20240022418A1 (en) | Cryptographic processing | |
US20210312016A1 (en) | Geo-fencing of an application for a secure cryptographic environment | |
US20230179427A1 (en) | System for processing offline digital resource transfers using a hardware device based cryptographic application | |
US20240080210A1 (en) | Systems and methods for a digital register of models monitoring changes in accuracy of artificial intelligence models | |
Wood | RF AND IOT SECURITY |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: RED HAT, INC., NORTH CAROLINA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RELYEA, ROBERT;REEL/FRAME:023581/0573 Effective date: 20091130 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |